Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

ATM Malware Surfaces as Hackers Target Banks in Eastern Europe

Trustwave uncovers malware on 20 ATM machines in Russia and Ukraine designed to allow hackers to swipe everything from cash to PIN codes. Officials at Trustwave advise merchants to take steps to ensure their ATM environment is secure.

Security researchers at Trustwave have uncovered an effort by cyber-thieves to use malware to infect and loot ATM machines in Eastern Europe .

Trustwave, which focuses on security and compliance for the payment card industry, discovered the malware while investigating ATM breaches in Russia and Ukraine. According to the company, roughly 20 ATMs were infected with malware that captures magnetic stripe data and PIN codes from the private memory space of transaction-processing applications installed on the compromised ATM.

"Picture you as a criminal walking up to an ATM machine and inserting a card into the machine that's not a real ATM card ... that has the code or essentially the string of numbers that essentially equals a trigger card within the malware," Nicholas Percoco, head of Trustwave's SpiderLabs, explained in an interview with eWEEK. "So every card that's inserted, the malware monitors what numbers are being inserted into the system. If it gets the right number or the right set of numbers, it launches its interface to the ATM screen."

Each of the compromised ATMs studied by Trustwave ran Microsoft Windows XP. In order to install the malware, the attacker needs to have physical access to the machine. According to Trustwave, the malware is installed and activated through a dropper file by the name of isadmin.exe, a Borland Delphi RAD (Rapid Application Development ) executable. The dropper binary contains a Data Resource (RCDATA) named PACKAGEINFO that contains the actual malware. Executing the dropper file produces the malware file lsass.exe inside the C:\WINDOWS directory of the compromised system.

Further reading

Once the malware is extracted, the dropper manipulates the 'Protected Storage' Service to point toward the newly created malware. The service is also configured to automatically restart if it crashes, ensuring that the malware remains active, according to the Trustwave report.

"This isn't targeting one ATM vendor; it's targeting multiple ATM vendors, and the attacker could modify it to attack other ATM vendors if they want it to," Percoco said.

Authorities in Eastern Europe were notified about the situation. But there is evidence-which Percoco said the company would not disclose-that the scam is making its way over to other parts of the world, including the United States. If so, it wouldn't be the first time hackers have targeted ATM information.

He suggested merchants perform a full security review of their ATM environment and look for any gaps in physical security. For example, he said, is there an alert triggered when a machine is opened?

"The other piece is following security best practices on the system itself, having anti-virus installed on it, having (locked) down USB ports, making it very difficult for someone to actually-if they were to open up the machine-to do anything to the operating system itself," he said.